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" Who did it? " Attribution, some may argue, is a challenge " as old as crime and punishment ." In the cyber realm 
too, criminal attribution is a key delineating factor between cybercrime and other threats. When investigating a 
given incident, law enforcement is challenged with tracing the action to its source and determining whether the 
actor is a criminal or whether the actor may be a terrorist or state actor posing a potentially greater national 
security threat. 

Blurry lines between various types of malicious activity in cyberspace may make it difficult for investigators to 
attribute an incident to a specific individual or organization. Without knowing the criminal intent or motivation, 
some activities of cybercriminals and other malicious actors may appear on the surface to be similar, causing 
confusion as to whether a particular action should be associated with a criminal or other actor. Further, " [t]he 
speed and anonymity of cyber attacks makes distinguishing among the actions of terrorists, criminals, and nation 
states difficult, a task which often occurs only after the fact, if at all. " Moreover, officials have noted cooperation 
and blurring of lines between types of actors , including nation states, organizations, and individuals, which can 
complicate or stymie attribution. 

Attribution in the Sony Pictures Entertainment Breach 

The attribution issue is highlighted in the November 2014 revelation of a breach at Sony Pictures Entertainment 
(SPE) by actors claiming responsibility and calling themselves the "Guardians of Peace." The Federal Bureau of 
Investigation (FBI), in its investigation of the breach, notes that it "consisted of the deployment of destructive 
malware and the theft of proprietary information as well as employees' personally identifiable information and 
confidential communications. The attacks also rendered thousands of SPE's computers inoperable, forced SPE to 
take its entire computer network offline, and significantly disrupted the company's business operations." Hackers 
further threatened a September 11, 2001 -type of attack on movie theaters that showed "The Interview," a spoof 
about journalists tasked with killing North Korea's Supreme Leader, Kim Jong-un. There has been debate about 
the true source of the breach. As of December 2014, the FBI — leading an interagency effort — had attributed the 
hack to the North Korean government. In its attribution, the FBI cited malware linked "to other malware that the 
FBI knows North Korean actors previously developed," "significant overlap between the infrastructure used in this 
attack and other malicious cyberactivity the U.S. government has previously linked directly to North Korea," and 
tools similar to those used in a 2013 North Korean cyberattack against South Korean banks and media outlets. 
Nonetheless, experts critical of this attribution note that the evidence linking North Korea to the SPE breach is not 
definitive . Further fueling concerns that the hack may be mis-attributed, U.S. officials have not revealed specifics 
surrounding how the attribution was reached. 

As a response to North Korea's " numerous provocations, particularly the [2014] cvber-attack targeting Sony 
Pictures Entertainment and the threats against movie theaters and moviegoers ." President Obama signed an 
Executive Order on January 2, 2015, authorizing additional sanctions against certain individuals and entities 
associated with the North Korean government. 

Attribution in the Anthem Inc. Breach 

In February 2015, it was revealed that one of the nation's largest health insurance companies, Anthem Inc., had 
suffered a data breach involving the personal information — including Social Security numbers — of potentially 80 
million individuals . However, Anthem does not believe that banking, credit card, or certain medical information 
was compromised. Law enforcement has not publicly attributed this attack. Notably, "security experts involved in 
the ongoing forensics investigation into the breach say the servers and attack tools used in the attack on Anthem 



bear the hallmark of a state-sponsored Chinese cvberespionage group known by a number of names, including 
'Deep Panda,"' as well as a professor at Southeast University in China. Nonetheless, a definitive attribution for the 
Anthem Inc. breach has not been made. 

Federal Efforts to Enhance Attribution 

Determining the actor (and actor's motivation) involved in a cyber incident will in turn help guide how the United 
States responds. If a criminal — motivated by profit — is the perpetrator, the investigation and response may be led 
by law enforcement using the tools of the criminal justice system. If the perpetrator is deemed to be a state- 
sponsored actor, the United States may utilize diplomatic or military tools in its response. Notably, the criminal 
justice system has standards of proof for attributing an incident to an individual. It is less clear in other domains 
— such as attribution as a basis for war or a response to cyberterrorism — what the standard of attribution or proof 
may be. 

A number of issues may pose challenges for accurate, timely attribution. For instance, the anonymizing tools that 
lie within the Internet through means such as The Onion Router (Tori can help mask the identities of actors. While 
such tools can help protect privacy online, they can also help hide malicious, illegal activity. Policymakers may 
consider how Congress can assist law enforcement and others in enhancing attribution of cyber incidents within 
the framework of today's rapidly changing technology space. They may question whether law enforcement has 
sufficient resources — authorities, technological capabilities, and manpower. 

While attribution remains a challenge, the Director of National Intelligence notes that " [governmental and private 
sector security professionals have made significant advances in detecting and attributing cyber intrusions .” The 
FBI has reportedly bolstered its efforts to better attribute cyberthreats and attacks. Through the Next Generation 
Cyber Initiative, the FBI is developing agents to connect with critical infrastructure components and computer 
scientists to " extract hackers’ digital signatures " and determine their identities, all to help concretely attribute a 
specific actor to a cyber incident. Similarly, the Department of Defense has reportedly " made significant 
investments in forensics to address this problem of attribution ." Congress has already shown interest in 
understanding whether accurate attribution can help deter cyberattacks as well as in ensuring that investigators 
have the tools and skills to accurately attribute incidents. 



